Nota-fiscal2.1.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation
Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the
logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB},
Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of
Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
|
initial sample
|
 |
|
|
Filetype: |
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation
Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the
logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB},
Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of
Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
|
Entropy: |
7.878669813569731
|
Filename: |
Nota-fiscal2.1.msi
|
Filesize: |
2994176
|
MD5: |
6032d2452e05a12f1449182deb3ab258
|
SHA1: |
03a992f9020a003fe86e477ac28698afc16a73d3
|
SHA256: |
394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46
|
SHA512: |
1318d1844efe031d05499e642c9509422a9f92977b8b4c76d38c6c614d81813af4ec927d2dd807e9b7b205ab06ea1800eb4a082f1a89a4e3721a37301165e28d
|
SSDEEP: |
49152:9+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:9+lUlz9FKbsodq0YaH7ZPxMb8tT
|
Preview: |
........................>......................................................................................................................................................................................................................................
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Sample is a Windows installer |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Config.Msi\50269e.rbs
|
data
|
dropped
|
 |
|
|
File: |
C:\Config.Msi\50269e.rbs
|
Category: |
dropped
|
Dump: |
50269e.rbs.2.dr
|
ID: |
dr_340
|
Target ID: |
2
|
Process: |
C:\Windows\System32\msiexec.exe
|
Type: |
data
|
Entropy: |
5.658429195760423
|
Encrypted: |
false
|
Ssdeep: |
192:1GjYxz1ccbTOOeMeKn61z7r6IHfz7r6kAVv70HVotBVeZEmzmYpLAV77uppY9ur:4sD2XbpbtiB2iK
|
Size: |
8825
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Yara detected AteraAgent |
Remote Access Functionality |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
|
Category: |
dropped
|
Dump: |
AteraAgent.InstallLog.13.dr
|
ID: |
dr_372
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
Entropy: |
4.853078320826549
|
Encrypted: |
false
|
Ssdeep: |
12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
|
Size: |
753
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Yara detected AteraAgent |
Remote Access Functionality |
|
Creates install or setup log file |
Compliance, Persistence and Installation Behavior |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Category: |
dropped
|
Dump: |
AteraAgent.exe.2.dr
|
ID: |
dr_332
|
Target ID: |
2
|
Process: |
C:\Windows\System32\msiexec.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.874150428357998
|
Encrypted: |
false
|
Ssdeep: |
3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
|
Size: |
145968
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Yara detected AteraAgent |
Remote Access Functionality |
|
Creates files in the system32 config directory |
Persistence and Installation Behavior |
|
Installs Task Scheduler Managed Wrapper |
Boot Survival |
|
Reads the Security eventlog |
Spam, unwanted Advertisements and Ransom Demands |
|
Reads the System eventlog |
Spam, unwanted Advertisements and Ransom Demands |
|
Writes many files with high entropy |
Spam, unwanted Advertisements and Ransom Demands |
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Creates files inside the system directory |
System Summary |
|
Creates or modifies windows services |
Boot Survival |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops certificate files (DER) |
E-Banking Fraud |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Found inlined nop instructions (likely shell or obfuscated code) |
Software Vulnerabilities |
Obfuscated Files or Information
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Reads ini files |
System Summary |
File and Directory Discovery
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses sc.exe to modify the status of services |
Boot Survival |
|
Creates install or setup log file |
Compliance, Persistence and Installation Behavior |
|
Uses Microsoft Silverlight |
System Summary |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config
|
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config
|
Category: |
dropped
|
Dump: |
AteraAgent.exe.config.2.dr
|
ID: |
dr_333
|
Target ID: |
2
|
Process: |
C:\Windows\System32\msiexec.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
Entropy: |
5.076953226383825
|
Encrypted: |
false
|
Ssdeep: |
24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
|
Size: |
1442
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files in the system32 config directory |
Persistence and Installation Behavior |
|
Installs Task Scheduler Managed Wrapper |
Boot Survival |
|
Reads the Security eventlog |
Spam, unwanted Advertisements and Ransom Demands |
|
Reads the System eventlog |
Spam, unwanted Advertisements and Ransom Demands |
|
Writes many files with high entropy |
Spam, unwanted Advertisements and Ransom Demands |
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Creates files inside the system directory |
System Summary |
|
Creates or modifies windows services |
Boot Survival |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops certificate files (DER) |
E-Banking Fraud |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Found inlined nop instructions (likely shell or obfuscated code) |
Software Vulnerabilities |
Obfuscated Files or Information
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Reads ini files |
System Summary |
File and Directory Discovery
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses sc.exe to modify the status of services |
Boot Survival |
|
Creates install or setup log file |
Compliance, Persistence and Installation Behavior |
|
Uses Microsoft Silverlight |
System Summary |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll
|
Category: |
dropped
|
Dump: |
BouncyCastle.Crypto.dll.2.dr
|
ID: |
dr_334
|
Target ID: |
2
|
Process: |
C:\Windows\System32\msiexec.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.534876879948643
|
Encrypted: |
false
|
Ssdeep: |
49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
|
Size: |
3318832
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll
|
Category: |
dropped
|
Dump: |
ICSharpCode.SharpZipLib.dll.2.dr
|
ID: |
dr_335
|
Target ID: |
2
|
Process: |
C:\Windows\System32\msiexec.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.030864151731967
|
Encrypted: |
false
|
Ssdeep: |
6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
|
Size: |
215088
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll
|
Category: |
dropped
|
Dump: |
Newtonsoft.Json.dll.2.dr
|
ID: |
dr_336
|
Target ID: |
2
|
Process: |
C:\Windows\System32\msiexec.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.96048066969898
|
Encrypted: |
false
|
Ssdeep: |
12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
|
Size: |
710192
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip
|
Zip archive data, at least v2.0 to extract, compression method=store
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip
|
Category: |
dropped
|
Dump: |
Agent.Package.Availability.zip.25.dr
|
ID: |
dr_509
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
Zip archive data, at least v2.0 to extract, compression method=store
|
Entropy: |
7.999089346076748
|
Encrypted: |
true
|
Ssdeep: |
24576:dem8imkU2j0Fqz3bMHdhp/NI1l+VJp3clqiovyfcyPHs7tQinWD4Zl0h9:Eir+0zLMHdLzJegi3FPWa4kr
|
Size: |
1343836
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Writes many files with high entropy |
Spam, unwanted Advertisements and Ransom Demands |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll
|
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll
|
Category: |
dropped
|
Dump: |
Agent.Package.Availability.dll.25.dr
|
ID: |
dr_513
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.303222841037921
|
Encrypted: |
false
|
Ssdeep: |
1536:nt/wYNE1tpVWuPbikPzfYtMfKio1+pi76a:CrpcSbiUfYniokpid
|
Size: |
69200
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Yara detected AteraAgent |
Remote Access Functionality |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
|
Category: |
dropped
|
Dump: |
Agent.Package.Availability.exe.25.dr
|
ID: |
dr_515
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32+ executable (console) x86-64, for MS Windows
|
Entropy: |
6.201270759332732
|
Encrypted: |
false
|
Ssdeep: |
3072:IhK4Uay3XrQ8habqgp9pC9Z6p5uf3C6k0xuZ04ntfxRhBuXYH:IhK4XycqgpfCup5sVxuZ04JhAw
|
Size: |
149584
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll
|
Category: |
dropped
|
Dump: |
Atera.Agent.Package.Infrastructure.dll.25.dr
|
ID: |
dr_523
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.22958768719225
|
Encrypted: |
false
|
Ssdeep: |
768:CdC12fGe0RmiGRq4So5W7heIpsxzScSffZHhxmouk3pUmUJk7EpYi60p:C0Rmg4R5WOScSHZHhkoukUnk076s
|
Size: |
59472
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Yara detected AteraAgent |
Remote Access Functionality |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll
|
Category: |
dropped
|
Dump: |
MQTTnet.Extensions.ManagedClient.dll.25.dr
|
ID: |
dr_633
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.24897905501437
|
Encrypted: |
false
|
Ssdeep: |
768:IjPkdaG23BdHAnoekKhbdzn9kpWcwfRLzfoZrx6nnPMfm8XoJE5GtSdxEpYi60m:2PGShI7mW1ZoZrcn0e0oJ4Gtu676/
|
Size: |
54352
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll
|
Category: |
dropped
|
Dump: |
MQTTnet.dll.25.dr
|
ID: |
dr_632
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.172728735037653
|
Encrypted: |
false
|
Ssdeep: |
6144:6F0eAyIQXbKwPMF83GUN/7a3zyROhmogpE2/M3jV:68QLKwPMKGUuBhh33jV
|
Size: |
311888
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Configuration.Abstractions.dll.25.dr
|
ID: |
dr_525
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.566585229934546
|
Encrypted: |
false
|
Ssdeep: |
384:ym++Js0qJ63NU17qtlR9iaTG/0wEzRjz6sMHJhOnAWM/aWsrNWsNyb8E9VF6IYio:xlso3W7qHypd//S7EpYi60sN
|
Size: |
26192
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Configuration.Binder.dll.25.dr
|
ID: |
dr_528
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.48928851924121
|
Encrypted: |
false
|
Ssdeep: |
768:0RnQyuN61yKW1Guh2dIewN3czA8i1Krao8EpYi60r:0dgA1yKW1L0dkNc081+oV76C
|
Size: |
34896
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Configuration.CommandLine.dll.25.dr
|
ID: |
dr_529
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.681268546033957
|
Encrypted: |
false
|
Ssdeep: |
384:v9FrztnCvZrlMIPTlLn9by3WKbW97nWaNyb8E9VF6IYijSJIVxut8X7dC:vbztn2AmxniKfEpYi60ZQ
|
Size: |
24144
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr
|
ID: |
dr_533
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.727784600213874
|
Encrypted: |
false
|
Ssdeep: |
384:DsGu6f0Ux3STFWUQeWiNyb8E9VF6IYijSJIVx/bU:DsGuWRTiEpYi60g
|
Size: |
19536
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Configuration.FileExtensions.dll.25.dr
|
ID: |
dr_535
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.553574715549202
|
Encrypted: |
false
|
Ssdeep: |
384:LY5JfZB7plLDwLx0umTZXA/XABRfhzWqr6WBNyb8E9VF6IYijSJIVxeB8eupO1T:krd8Y0wRhz5EpYi60eXfT
|
Size: |
27216
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Configuration.Json.dll.25.dr
|
ID: |
dr_537
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.558993316506694
|
Encrypted: |
false
|
Ssdeep: |
384:2I2/cK/FWwbGXC8e1lje1l6RWkb2WmNyb8E9VF6IYijSJIVxErKQ:2I2/cqFWwSl6hXGEpYi60ZQ
|
Size: |
26704
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Configuration.UserSecrets.dll.25.dr
|
ID: |
dr_539
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.50656017431959
|
Encrypted: |
false
|
Ssdeep: |
384:ew6kebL1iFn6d6E1oE1LdAAW9ACWDNyb8E9VF6IYijSJIVxvcTEfPM:OZbcWusrEpYi60Q
|
Size: |
25680
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Configuration.dll.25.dr
|
ID: |
dr_531
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.447047966837658
|
Encrypted: |
false
|
Ssdeep: |
768:Ki4PV4eWxaVsQLqyCekI/q/xGljnEpYi60kmk:KaVxa2QXUxajA763b
|
Size: |
37456
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.DependencyInjection.Abstractions.dll0.25.dr
|
ID: |
dr_541
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.259765573595323
|
Encrypted: |
false
|
Ssdeep: |
768:48+cxuPn//hpz2XCkCkCdvAb4b4qox06OoV0F8l0HCTpw0wo0emWEpYi60Im:v+cxuPn/bvvE0Q0HCNfBsX76vm
|
Size: |
44624
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.DependencyInjection.dll0.25.dr
|
ID: |
dr_543
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.279395276448406
|
Encrypted: |
false
|
Ssdeep: |
1536:MNLmvi666OjIX0h9zMPvHBWCaRweUG4DynjEZnBU76W:C66fjLb8vH0CiUG4DyneBUV
|
Size: |
82512
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.FileProviders.Abstractions.dll0.25.dr
|
ID: |
dr_548
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.570886566686519
|
Encrypted: |
false
|
Ssdeep: |
384:1lfkJv/RYTWl6+MTxMufuMc8CWsbhWNNyb8E9VF6IYijSJIVxU5Px:1lcJnRYTwIjJ66EpYi60Mx
|
Size: |
22096
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.FileProviders.Physical.dll0.25.dr
|
ID: |
dr_551
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.433963128917156
|
Encrypted: |
false
|
Ssdeep: |
768:QHxWCQ4MPJG3cOeeapdUgsWflN+Qu5sEpYi60Jit:QHxW58re3pdUqN5u5l767t
|
Size: |
43600
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.FileSystemGlobbing.dll0.25.dr
|
ID: |
dr_553
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.35524811084824
|
Encrypted: |
false
|
Ssdeep: |
768:llwMU3jMMSPNueKQWjRUILOK2Ksf/qSCgHgUsJ5EpYi60NC:luMUJqLWjRHFtsHqSCgHgUsJC76eC
|
Size: |
45136
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Hosting.Abstractions.dll0.25.dr
|
ID: |
dr_557
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.563421162092523
|
Encrypted: |
false
|
Ssdeep: |
384:XfGp7YacaEaVNbG12flBF76euwMw0tXXVfFQkzsG9kni7QXRdQWibdW/Nyb8E9Vb:FwVNz9BF76ejMbmHXRQEEpYi60v
|
Size: |
28752
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Hosting.dll0.25.dr
|
ID: |
dr_559
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.303006003462976
|
Encrypted: |
false
|
Ssdeep: |
768:BBu8CE7AFg+0ITvhADGmnnbaTfP63+R3u9q09ePEpYi6084:BcfWA2+DjaD/nnba+3uwq09eo76s
|
Size: |
56400
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Logging.Abstractions.dll0.25.dr
|
ID: |
dr_561
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.286000155952392
|
Encrypted: |
false
|
Ssdeep: |
768:5+UfRQY8PGNWovMLJYBjtLgnuAAAAAknwd45FnrfMq1/yJuoiYblHJg6GOmDuZEm:5+tY8PIiq51wcFnDMsno7jRmai76z
|
Size: |
63056
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Logging.Configuration.dll0.25.dr
|
ID: |
dr_565
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.550255374820454
|
Encrypted: |
false
|
Ssdeep: |
384:rr0yw26S3QgV/UxNmsUspvnipmgNRLGc3WxsBU7RWPpNyb8E9VF6IYijSJIVxfju:rr0j26i92L6zBU7qEpYi60K
|
Size: |
27728
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Logging.Console.dll0.25.dr
|
ID: |
dr_568
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.366539311067249
|
Encrypted: |
false
|
Ssdeep: |
768:5TGWFIlYoY5b3OxMZnndnnennnnnnRt3nV+JEtpzU+uujK2lBJqFsSjKcb72EpYF:5iKIe9JyvSCG2l+NT76j7
|
Size: |
51280
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Logging.Debug.dll0.25.dr
|
ID: |
dr_571
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.6321696002282415
|
Encrypted: |
false
|
Ssdeep: |
384:Iv+kBD/v7WJZVMWurNyb8E9VF6IYijSJIVxCbm5O:ImMbumEpYi60GkO
|
Size: |
19024
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Logging.EventLog.dll0.25.dr
|
ID: |
dr_579
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.599810143385852
|
Encrypted: |
false
|
Ssdeep: |
384:ozTu6iOUdGgvklNpdOHhvVhZQVW27FWcNyb8E9VF6IYijSJIVxC/8Kbs:oziZOwklFYh43EpYi60b
|
Size: |
25168
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Logging.EventSource.dll0.25.dr
|
ID: |
dr_581
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.561365702132756
|
Encrypted: |
false
|
Ssdeep: |
384:w2x4wbbh7Kx8kJ3yiW8/zKeGmBt1qm1CS1yvhGcRtquW3LUWbNyb8E9VF6IYijSA:Mwvh7KxdlW8JvrpEpYi602o
|
Size: |
33872
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Logging.dll0.25.dr
|
ID: |
dr_575
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.393282496543562
|
Encrypted: |
false
|
Ssdeep: |
768:ZX8pDT8XP6hA+wMaLWCzAVLOPnaEpYi60IX:ZXiDTaP6hfY1GOPnb76p
|
Size: |
45648
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Options.ConfigurationExtensions.dll0.25.dr
|
ID: |
dr_585
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.630370013862285
|
Encrypted: |
false
|
Ssdeep: |
384:JoePm+VIkOdHt6Zx8HignlSZYT9zWzL0WVNyb8E9VF6IYijSJIVxD7P1dH:jPzVIko9FD9o3EpYi60nvH
|
Size: |
23632
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Options.dll0.25.dr
|
ID: |
dr_629
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.3151782328030315
|
Encrypted: |
false
|
Ssdeep: |
768:5CD3yk2B8+9PwwOxC8wZLq6J4q2r0qafouRVPvW37EpYi60xgX:4kB8+94xxBmm6mqaBafouRdi076RX
|
Size: |
59984
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll
|
Category: |
dropped
|
Dump: |
Microsoft.Extensions.Primitives.dll0.25.dr
|
ID: |
dr_631
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.339405665850936
|
Encrypted: |
false
|
Ssdeep: |
768:blx+oQSHqk49NI0OP7NWEfDkkuiEk3LVi4EpYi60HQu:HVQSyI0OP7NxfAkuiEkbwB76xu
|
Size: |
41040
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll
|
Category: |
dropped
|
Dump: |
Newtonsoft.Json.dll3.25.dr
|
ID: |
dr_634
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.9631600686922255
|
Encrypted: |
false
|
Ssdeep: |
12288:Heos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQD:H0/POdGV5jfW5VnhFyvOB7jW5JMt1
|
Size: |
697936
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll
|
Category: |
dropped
|
Dump: |
Polly.dll1.25.dr
|
ID: |
dr_635
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.198363790367796
|
Encrypted: |
false
|
Ssdeep: |
3072:vMiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcONz:vMZpj06vUsMjbQ77D+J
|
Size: |
285776
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll
|
Category: |
dropped
|
Dump: |
Serilog.Extensions.Hosting.dll0.25.dr
|
ID: |
dr_639
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.29363728833945
|
Encrypted: |
false
|
Ssdeep: |
768:sdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsId3:sxuJRRsnHnyhQupytM9z7O3zfXYvj8rY
|
Size: |
38992
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll
|
Category: |
dropped
|
Dump: |
Serilog.Extensions.Logging.dll0.25.dr
|
ID: |
dr_640
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.5526871130669235
|
Encrypted: |
false
|
Ssdeep: |
384:mSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYhNyb8E9VF6IYijSJIVxKtKe:mSCZUl2O1zCnXyzDeEpYi60krf
|
Size: |
27728
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll
|
Category: |
dropped
|
Dump: |
Serilog.Sinks.File.dll0.25.dr
|
ID: |
dr_641
|
Target ID: |
25
|
Process: |
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.319730161148232
|
Encrypted: |
false
|
Ssdeep: |
768:DUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BCEpYi60j:YLrgfPw3mXREaD76q
|
Size: |
41552
|
Whitelisted: |
false
|
|